Manage users and roles

This topic involves creating and managing administrative users on your API team who develop and test APIs, run reports, and perform other API admin tasks. Administrative users and roles do not apply to app developers, the consumers of your API. For information on controlling app developer access to your APIs, see Publishing Overview.

You access user and role management in the Admin menu of the management UI.

Before you and your team can start using Apigee Edge for creating and managing APIs, you need to have an account and an organization. Once you have an account and an organization, if you're an organization administrator, you have access to the Admin tab on Apigee Edge where you can add and modify users. As part of adding or modifying users, you set the user's role.

Users can be assigned to more than one role. If a user has multiple roles assigned, the greater permission takes precedence. For example, if one role doesn't allow the user to create API proxies, but another role does, then the user can create API proxies. In general, it is not a common use case to assign users multiple roles. See "Adding roles to a user" below.

About user roles

In Apigee Edge, user roles form the basis of role-based access, meaning that you can control what functions a person can access by assigning them a role (or roles). By default, your role is set based on how you create your account:

If you create your own Edge account, your role is set to organization administrator in your organization. If you add users to your organization, you set the user role (or roles) at the time that you add them. If you are later added to another organization, your role is determined by the administrator of that organization.

If an administrator creates your account, your role (or roles) is determined by the administrator. An organization administrator can later change your role(s) if necessary. See "Adding roles to a user" below.

The following roles and permissions are available by default:

By default, all users associated with an organization can view details about other organization users, such as email address, first name, and last name. Only users with the Organization Administrator role can add or update other organization users.

Permissions

User

Business
User

Organization
Administrator

Read-only
Organization
Administrator*

Operations
Administrator

APIs

View the list and details of an organization's APIs.
Modify and delete API details.

yes

yes

yes

View only

yes

Create, update, and delete APIs

yes

no

yes

no

no

API deployment

Deploy API proxies to a test environment

yes

no

yes

no

yes

Deploy API proxies to a production environment

no

no

yes

no

yes

API trace

Create and delete trace sessions and get their data
in a test environment

yes

yes

yes

no

yes

Create and delete trace sessions and get their data
in a production environment

yes

no

yes

no

yes

Products

View API products

yes

yes

yes

yes

yes

Create, update, and delete API products

no

yes

yes

no

no

Developers

View developers

yes

yes

yes

yes

yes

Create, update, and delete developers

no

yes

yes

no

no

Developer apps

View developer apps

yes

yes

yes

yes

yes

Create, update, and delete developer apps

no

yes

yes

no

no

Analytics

View custom reports

yes

yes

yes

yes

yes

Create, update, and delete custom reports

no

yes

yes

no

no

Users and roles

View users and roles

no

no

yes

yes

no

Create, update, and delete users

no

no

yes

no

no

Create, update, and delete user roles

no

no

yes

no

no

Environments

View cache details

yes

yes

yes

yes

yes

Create, update, and delete caches

no

no

yes

no

no

View virtual host details

yes

yes

yes

no

yes

*Read-only Organization Administrator has access to the same entities as an Organization Administrator but access is read only. This role is for OPDK installations only, not for the cloud.

Creating roles

Viewing user data

The Organization Users table on the Admin > Organization Users page lists all of the users attached to the current organization. For each user you can see:

By default, all users associated with an organization can view details about other organization users, such as email address, first name, and last name. Only users with the Organization Administrator role can add or update other organization users.

Name: The name of the user you entered when you created the user.

Primary email: The email address you entered when you created the user.

Role: The role of the user, which determines the degree of access. By default, all users have a user role that gives them full access to all features in Apigee.

Adding roles to a user

You can add one or more roles to a user when you create a new user or if you edit an existing user.

If a user has multiple roles assigned, the greater permission takes precedence. For example, if one role doesn't allow the user to create API proxies, but another role does, then the user can create API proxies. In general, it is not a common use case to assign users multiple roles.

Deleting users

There are two ways to delete a user:

To remove a user from your account, select the user in the Organization Users table and click Delete. This only removes the user from the current account. If the user is a member of multiple accounts, they remain in the system.